Penetration testing at its best.

Database Security

Databases often hold an organisation's most critical and important business data. Hardening and securing critical databases should be performed as part of a structured development programme. Database security reviews are key tools in identifying misconfigurations and security weaknesses in database systems. Our database penetration testing service interrogates all aspects of database security and offers practical ways to harden, defend and secure.

Underlying Server Security

If the underlying operating-system that the database is running on is not secure then the attacker will usually be able to access all the data. Types of vulnerabilities could be insecure network services listening, a lack of firewalling, weak user accounts and privilege escalation vulnerabilities etc.

Authentication Mechanism

Many vulnerabilities have been identified in authentication mechanisms used by common database deployments. Ideally the database is locked down to allow only authorised users from specific workstations but unfortunately, this is rarely the case. Buffer overflows, format strings and authentication bypass vulnerabilities could allow an attacker to gain full access to the server and database.

Data and Communications Encryption

Who is listening on the network? This is impossible to know for sure and it is therefore imperative to encrypt all network traffic including login credentials and database session data going over the wire. Further, to protect data from unauthorised users or attackers with access to hard disk volumes,

User Permissions and Privilege Escalation

Databases with weak user accounts can give an attacker full access to the database. In some situations it may be possible to gain access as a lowly privileged user and elevate privileges to take full control of the database.

Logging and Auditing

Logging and auditing are key areas in identifying what actions have been performed on the database and by whom. In the event of a security breach, without sufficiently logging and auditing data, it may be impossible to detect where the attack came from and how to recover from it.

Patching and Updating

Vulnerabilities in database code are being discovered all the time, it is therefore imperative to keep database servers patched and up-to-date before vulnerabilities are exploited by the bad guys.